Autograph: Toward Automated, Distributed Worm Signature Detection

Abstract

Today's Internet intrusion detection systems (IDSes) monitor edge
networks' DMZs to identify and/or filter malicious flows. While an
IDS helps protect the hosts on its local edge network from compromise and
denial of service, it cannot alone effectively intervene to halt
and reverse the spreading of novel Internet worms. Generation of the
worm signatures required by an IDS--the byte patterns sought in
monitored traffic to identify worms--today entails non-trivial human
labor, and thus significant delay: as network operators detect
anomalous behavior, they communicate with one another and manually
study packet traces to produce a worm signature. Yet intervention must
occur early in an epidemic to halt a worm's spread. In this
paper, we describe Autograph, a system that automatically
generates signatures for novel Internet worms that propagate using TCP
transport. Autograph generates signatures by analyzing the prevalence of portions of flow payloads, and thus uses no knowledge
of protocol semantics above the TCP level. It is designed to produce
signatures that exhibit high sensitivity (high true positives)
and high specificity (low false positives); our evaluation of
the system on real DMZ traces validates that it achieves these
goals. We extend Autograph to share port scan reports among
distributed monitor instances, and using trace-driven simulation,
demonstrate the value of this technique in speeding the generation of
signatures for novel worms. Our results elucidate the fundamental
trade-off between early generation of signatures for novel worms and
the specificity of these generated signatures.